fix: Improving safety

Author: iRingil

backend/src/app/api/routes/login.py

@@ -84,7 +84,12 @@ async def test_token(self, current_user: CurrentUser) -> Any:
         description="Send a password recovery email.",
     )
     async def recover_password(
-        self, email: str, user_crud: UserCrudDep, email_manager: EmailManagerDep, background_tasks: BackgroundTasks
+        self,
+        email: str,
+        user_crud: UserCrudDep,
+        email_manager: EmailManagerDep,
+        background_tasks: BackgroundTasks,
+        settings: SettingsDep,
     ) -> Message:
         """
         Endpoint to initiate password recovery for a user.
@@ -93,12 +98,19 @@ async def recover_password(
         :param user_crud: Dependency for user CRUD operations.
         :param email_manager: The email manager dependency.
         :param background_tasks: The background tasks service.
+        :param settings: The application settings dependency.
         :return: A confirmation message.
-        :raises HTTPException: If the user with the provided email is not found.
+        :raises HTTPException: If the user with the provided email is not found (local env only).
         """
         user: User | None = await user_crud.get_by_email(email=email)
+        if settings.ENVIRONMENT != "local":
+            if user:
+                background_tasks.add_task(email_manager.send_reset_password_email, email_to=email)
+            return Message(message="If an account with that email exists, a recovery email has been sent.")
         if not user:
-            raise HTTPException(status_code=404, detail="The user with this email does not exist in the system.")
+            raise HTTPException(
+                status_code=404, detail="The user with this email does not exist in the system. (Local env only)"
+            )
         background_tasks.add_task(email_manager.send_reset_password_email, email_to=email)
         return Message(message="Password recovery email sent")
 

backend/tests/app/api/routes/test_login.py

@@ -107,25 +107,36 @@ async def test_test_token() -> None:
 
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
-    "user_exists,raises_exception,expected_status,expected_detail",
-    [(True, False, None, None), (False, True, 404, "The user with this email does not exist in the system.")],
-    ids=["success", "user_not_found"],
+    "environment, user_exists, raises_exception, expected_detail_or_message, email_task_called",
+    [
+        ("local", True, False, "Password recovery email sent", True),
+        ("local", False, True, "The user with this email does not exist in the system. (Local env only)", False),
+        ("production", True, False, "If an account with that email exists, a recovery email has been sent.", True),
+        ("production", False, False, "If an account with that email exists, a recovery email has been sent.", False),
+    ],
+    ids=["local_success", "local_not_found_raises", "prod_success_safe", "prod_not_found_safe"],
 )
 async def test_recover_password(
-    user_exists: bool, raises_exception: bool, expected_status: int | None, expected_detail: str | None
+    environment: str,
+    user_exists: bool,
+    raises_exception: bool,
+    expected_detail_or_message: str,
+    email_task_called: bool,
 ) -> None:
     """
-    Test the recover_password endpoint for various scenarios.
+    Test the recover_password endpoint for various scenarios and environments.
 
-    :param user_exists: Whether the user exists.
-    :param raises_exception: Whether an exception is expected.
-    :param expected_status: Expected HTTP status code if exception is raised.
-    :param expected_detail: Expected exception detail if exception is raised.
+    :param environment: The simulated application environment.
+    :param user_exists: Whether the user is mocked to exist.
+    :param raises_exception: Whether an HTTPException is expected.
+    :param expected_detail_or_message: The expected detail for exceptions or message for success.
+    :param email_task_called: Whether the email sending task should be called.
     :return: None
     """
     user_crud_mock: AsyncMock = AsyncMock(spec=UserCrudDep)
     email_manager_mock: AsyncMock = AsyncMock(spec=EmailManager)
     background_tasks_mock: MagicMock = MagicMock(spec=BackgroundTasks)
+    settings_mock: MagicMock = MagicMock(spec=Settings, ENVIRONMENT=environment)
     email: str = "user@example.com"
     user: User = User(id=uuid4(), email=email, is_active=True, is_superuser=False, full_name=None)
     future_get: asyncio.Future = asyncio.Future()
@@ -139,21 +150,27 @@ async def test_recover_password(
                 user_crud=user_crud_mock,
                 email_manager=email_manager_mock,
                 background_tasks=background_tasks_mock,
+                settings=settings_mock,
             )
-        assert exc_info.value.status_code == expected_status
-        assert exc_info.value.detail == expected_detail
+        assert exc_info.value.status_code == 404
+        assert exc_info.value.detail == expected_detail_or_message
+        background_tasks_mock.add_task.assert_not_called()
     else:
         result: Message = await login_router.recover_password(
             email=email,
             user_crud=user_crud_mock,
             email_manager=email_manager_mock,
             background_tasks=background_tasks_mock,
+            settings=settings_mock,
         )
         user_crud_mock.get_by_email.assert_called_once_with(email=email)
-        background_tasks_mock.add_task.assert_called_once_with(
-            email_manager_mock.send_reset_password_email, email_to=email
-        )
-        assert result == Message(message="Password recovery email sent")
+        assert result.message == expected_detail_or_message
+        if email_task_called:
+            background_tasks_mock.add_task.assert_called_once_with(
+                email_manager_mock.send_reset_password_email, email_to=email
+            )
+        else:
+            background_tasks_mock.add_task.assert_not_called()
 
 
 @pytest.mark.asyncio